At the Crossroads – Privacy and Information Security 20 th Annual National Training Conference Fiduciary and Investment Risk Management Association Inc. ™. Julia Kirby, Senior Manager Deloitte & Touche, LLP Regulatory Consulting Group April 11, 2006. Agenda.
At the Crossroads – Privacy and Information Security20th Annual National Training ConferenceFiduciary and Investment Risk Management Association Inc. ™
Julia Kirby, Senior Manager
Deloitte & Touche, LLP
Regulatory Consulting Group
April 11, 2006
The purpose of this presentation is to briefly describe regulatory developments related to privacy and information security. Deloitte & Touche LLP is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte & Touche LLP shall not be responsible for any loss sustained by any person who relies on this presentation. For complete regulatory requirements, please refer to the text of the rules themselves.
The Balancing Act – Privacy & Information Security
Financial institutions must balance growing expectations while complying with the current legal environment.
A Tool to Help Along the Way
Records management is a risk-focused tool that can help manage expectations and maintain compliance.
How Records Management Can Help
The goal of records management is to control and mitigate an organization’s exposure to risk.
Violations of “the recordkeeping and access requirements of various securities laws” (March 2002)
$10 millionCompliance Risk
Recent compliance failures have placed greater public scrutiny on corporate records management practices.
“Failed to preserve for three years…all electronic mail communications”(February 2005)
NASD, NYSE, SEC
Brokerage Firms (4)
Violations of “recordkeeping requirements concerning business-related internal e-mail communications” (August 2004)
Brokerage Firms (5)
Violations of “record-keeping requirements concerning e-mail communications” (December 2002)
PAZ Securities, Inc.
Bear, Stearns & Co., Inc.
UBS Warburg LLC
Failed to respond in a timely and effective manner to a subpoena by the State of Illinois Securities Department (June 2005)
In Zubulake v. UBS Warburg LLC, UBS was ordered to search and retrieve relevant e-mails from its archives (July 2004)
Failed to effectively respond to NASD subpoena of various records (October 2005)
Conflicts of interest “revealed in internal e-mail communications” during an investigation by Elliot Spitzer (May 2002)
Expelled from NASD
$100 millionLitigation Risk
The risk of incurring litigation or failing to meet legal responsibilities can also have financial impact for an organization.
Monetary Impact ($)
Announcement of investigation by NY AG Elliot Spitzer (April 2002)
Insurance Firms (4)
NY AG Elliot Spitzer files civil complaint against Marsh & McLennan, ACE, The Hartford, Munich American Risk Partners (October 2004)
4 trading days
Investigation by NY AG Elliot Spitzer and the SEC led to the resignation of AIG's CEO and Chairman Hank Greenberg (January 2006)
$59 billionReputational Risk
Investigations and/or negative media headlines can result in dramatic changes in the market value of a company.
Change in Market Value
Convenience and cost are forcing new information delivery strategies that paper-based systems cannot deliver
Government and industry are aligned to implement laws that encourage the elimination or reduction of paper
Electronic discovery is becoming more common as electronic records management increases
Records Retention Costs
Unit prices of traditional vs. electronic records retention (at scale) are incomparable
Increasing reliability and decreasing costs lead to limitless applications of technology
Traditional records management firms are hungry for new revenues and view electronic services as a logical next stepDriving Forces in Records Management
The growing importance of records management has led to changes in the marketplace, government, and industry.
Universe of Record Retention Requirements for International Financial Institutions*
Internal Revenue Code
International SupervisoryBody Requirements
Bank RecordsVast and Complex Environment
The universe of retention requirements applicable to an organization’s activities has grown to several thousand and is continually evolving.
*These are provided as an example. Seek counsel’s advice regarding requirements applicable to your organization.
Each of the major components of records management presents different implementation issues.
Records Management Program
A comprehensive policy is critical to communicating and implementing a records management program.
Approval may be required from all business units, a lengthy process which can significantly delay implementation
Records management must be consistent with existing bank policies, i.e. ethics, data security, e-mail
Enforcement of the policy must be incorporated into the self-assessment or audit processes
Logistical obstacles must be overcome in training all employees and new hires
The retention schedule must capture all applicable requirements while remaining user-friendly for the business units.
Applicable requirements are dependent upon the structure of the organization, i.e. bank holding company, financial company, non-bank subsidiaries
Requirements originate from a number of sources, i.e. legal statutes (federal, state, local), regulatory guidance, industry guidelines, foreign jurisdictions
Organizations must be able to easily update the retention schedule to account for new requirements
Ease of Use
Business users must be able to easily lookup a record and determine its retention period
Commitment and communication are vital to successful program governance.
Records management responsibilities must be added without overburdening existing roles
Every employee impacts records management, from the CEO to the new hire
Consistent commitment from the top facilitates compliance throughout the organization
Communication is key to establishing a culture where records management is emphasized
Secure processes are required to ensure effective storage, retrieval, and destruction of bank records.
Legal and regulatory inquiries demand that records be retrieved in a timely manner by content, date, or creator
Storage of off-site itemsmust be documented and transported consistently
Complicated destruction procedures are needed to offset advances in forensic recovery analysis
Retrieval, storage, and destruction processes must be invulnerable to unauthorized access of data
Third-party warehousing has far reaching consequences beyond records management.
A consistent logging procedure is necessary to ensure storage, retrieval and destruction
The reputation of the vendor will directly correlate with the reputational risk to the bank
Warehouses must be integrated with business continuity plans to recover from disaster
Third-party vendor requirements must be applied
Effective e-mail management mandates changes in systems as well as corporate behavior.
Management of electronic records is dependent on system search, backup, and restoration capabilities
System storage capacity is finite and average industry volume is excessive
E-mail records on personal workstations are accessible as part of a legal or regulatory inquiry
All e-mails are business records, regardless of the content
Evaluating the current state and envisioning the ideal state are the first steps to be taken.
Review Policies and Procedures
Identify Existing Records
Critical Success Factors
Deloitte & Touche LLP
555 12th Street N.W., Suite 500
Washington, D.C. 20004-1207